Analytic Memo 7: Planning and Conducting Attacks by ISIS

by Dack Anderson, Lead Security Consultant

As part of my academic journey at Pikes Peak State College, I had the opportunity to study ESA4010: Terrorism Threat & Risk Analysis in 2022, a critical course that deepened my understanding of terrorism-related threats, emergency response strategies, and analytical methods. Under the guidance of Professor Woody Boyd, I conducted extensive research using structured assessment models to analyze whether ISIS remains a threat to the United States.

This seventh annex examines the operational planning and tactical execution methods employed by the Islamic State, with a focus on how the group adapts its attack strategies to exploit vulnerabilities in Western and allied security infrastructures.

Key Findings

ISIS’s attack methodology is characterized by a blend of centralized planning and decentralized execution. While high-profile attacks such as those in Paris (2015) and Brussels (2016) were coordinated by ISIS’s external operations wing, many others, especially in the U.S., have been carried out by lone actors inspired by ISIS propaganda. This hybrid model allows the group to maintain operational reach while minimizing logistical exposure (Clarke & Winter, 2017). The group’s planning cycle typically includes:

• Target selection based on symbolic value or soft vulnerability

• Recruitment and radicalization via encrypted platforms and social media

• Operational training, often minimal, focused on basic weapons handling or vehicular tactics

• Execution timed for maximum media impact

  
  

ISIS’s use of encrypted messaging apps such as Telegram and Signal has enabled remote coordination with operatives in Western countries. In several thwarted U.S. plots, suspects received tactical guidance and ideological reinforcement from overseas handlers (Vidino & Hughes, 2015). The group also publishes detailed manuals in its online magazines, such as Dabiq and Rumiyah, which provide step-by-step instructions for conducting attacks, including knife assaults, vehicle ramming, and arson. Notably, ISIS has demonstrated a preference for low-cost, high-impact operations. This includes:

• Use of everyday objects as weapons (e.g., knives, vehicles)

• Targeting crowded civilian areas (e.g., concerts, markets, transit hubs)

• Exploiting gaps in local law enforcement intelligence sharing

  
  

Meaning of Findings

The findings suggest that ISIS’s operational model is designed for resilience and adaptability. By decentralizing its attack planning and empowering ideologically aligned individuals to act independently, the group circumvents traditional counterterrorism barriers. This strategy also complicates attribution and response, as many attackers have no direct contact with ISIS leadership.

Moreover, the emphasis on symbolic targets, such as military personnel, religious institutions, and cultural landmarks, reflects ISIS’s intent to provoke societal division and undermine public confidence in government protection. The psychological impact of these attacks often exceeds their physical damage, aligning with the group’s broader goal of destabilization through fear. The use of encrypted communication and open-source tactical guidance further illustrates ISIS’s evolution into a digital insurgency. Its ability to disseminate operational knowledge without physical presence makes it a persistent threat, especially in societies with limited community-based counter-radicalization programs.

Assessment of Findings

The continued threat posed by ISIS’s attack planning model underscores the need for proactive countermeasures that go beyond traditional surveillance and interdiction. U.S. agencies must invest in:

• Community engagement to identify early signs of radicalization

• Improved interagency intelligence sharing, especially at the local level

• Digital counter-messaging to disrupt ISIS’s online recruitment pipeline

  
  

Additionally, the persistence of lone-actor terrorism suggests that ideological appeal remains potent. ISIS’s framing of attacks as acts of religious duty or martyrdom continues to resonate with disaffected individuals. This ideological infrastructure must be dismantled through strategic communication and targeted de-radicalization efforts. Ultimately, while ISIS may lack the territorial control it once held, its capacity to inspire and guide attacks remains intact. The group’s operational decentralization is not a sign of weakness; it is a calculated adaptation to modern counterterrorism environments.

References:

George Washington University. (2022). ISIS in America. Retrieved from GW Program on Extremism: https://extremism.gwu.edu/isis-america 

Harrison, S. (2018, March 22). Evolving Tech, Evolving Terror. Retrieved from Center for Strategic & International Studies: https://www.csis.org/npfp/evolving-tech-evolving-terror 

McEntire, D. A. (2019). Introduction to Homeland Security: Understanding Terrorism, Prevention, and Emergency Management. Wiley.

Nance, M. W. (2017). Hacking ISIS: How to Destroy the Cyber Jihad. Simon & Schuster.

Office of the Director of National Intelligence. (n.d.). To Catch a Terrorist. Retrieved from Intel.gov: https://www.intelligence.gov/mission/intel-stories/367-to-catch-a-terrorist 

Shinkman, P. (2021, October 26). ISIS in Afghanistan Could Attack U.S. Within 6 Months: U.S. Intelligence. Retrieved from U.S. News & World Report: https://www.usnews.com/news/national-news/articles/2021-10-26/isis-in-afghanistan-could-attack-us-within-6-months-us-intelligence 

Wilson Center. (2021, December 16). U.S. Report: ISIS and Al Qaeda Threats. Retrieved from Insight & Analysis: https://www.wilsoncenter.org/article/us-report-isis-and-al-qaeda-threats